Lucene search

GitHub Advisory DatabaseGHSA-67FW-W8F2-88WP

HistoryAug 01, 2024 - 6:32 p.m.

casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification

2024-08-0118:32:50

CWE-200

CWE-295

CWE-297

GitHub Advisory Database

github.com

casdoor

ssh

security flaw

sensitive information

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

37.7%

JSON

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method.

Affected configurations

Vulners

Node

casdoorcasdoorRange1.541.0–1.636.0

VendorProductVersionCPE
casdoorcasdoor*cpe:2.3:a:casdoor:casdoor:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
casdoor	casdoor	*	cpe:2.3:a:casdoor:casdoor::::::::

References

gist.github.com/nyxfqq/33ceaccbc9b05d439a944c2b55fa1c0f

github.com/advisories/GHSA-67fw-w8f2-88wp

github.com/casdoor/casdoor/blob/v1.636.0/object/viaSSHDialer.go

nvd.nist.gov/vuln/detail/CVE-2024-41264

pkg.go.dev/vuln/GO-2024-3026

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

37.7%

JSON

Related for GHSA-67FW-W8F2-88WP